October 02, 2007 - Current Activity

Google's Gmail XSRF Vulnerability

US-CERT is aware of a publicly reported cross-site request forgery vulnerability in Google's Gmail. A cross-site request forgery vulnerability may allow a request from an attacker to be interpreted as originating from an authenticated user.  Public reports indicate that this vulnerability may allow an attacker to create arbitrary filters for a user's Gmail account.  

More information regarding this vulnerability can be found in Vulnerability Note VU#571584.

Apple Releases Update for iPhone

Apple has released an update to address several vulnerabilities in the iPhone. These vulnerabilities may allow an attacker to execute arbitrary code or commands, cause a denial-of-service condition, or conduct cross-site scripting attacks on an affected device.

More information about these vulnerabilities and the iPhone v1.1.1 update can be found in the Apple update advisory.

US-CERT strongly encourages users to review the advisory and follow best-practice security policies to determine what updates should be applied.

CA BrightStor Hierarchical Storage Manager Vulnerabilities

US-CERT is aware of several vulnerabilities that affect the CA BrightStor Hierarchical Storage Manager version r11.5.  These vulnerabilities may allow an attacker to execute arbitrary code or gain control of the system.

More information regarding these vulnerabilities can be found in the CA BrightStor Hierarchical Storage Manager CsAgent Security Notice.

US-CERT recommends that users upgrade to the latest version to help mitigate the security risks.

Cisco Products Loopback Vulnerability

Cisco has released a Security Response regarding a vulnerability in the way that Cisco Catalyst 6500 and Cisco 7600 series devices use addresses from the loopback range. Cisco reports that an attacker can exploit this to bypass access control lists.

US-CERT encourages users to apply the workarounds and software updates as listed in the Cisco Security Response.

US-CERT will provide additional information as it becomes available.

CA ARCserve Backup for Laptops and Desktops contains multiple vulnerabilities

US-CERT is aware of several vulnerabilities that affect the CA ARCserve Backup for Laptops and Desktops product. These vulnerabilities may allow an attacker to execute arbitrary code, bypass authentication, or cause a denial-of-service condition.

More information regarding these vulnerabilities and which applications are affected can be found in the CA Security Advisor "CA ARCserve Backup for Laptops and Desktops Multiple Server Vulnerabilities" document.

US-CERT recommends that users upgrade to the latest versions to help mitigate the security risks.

Google Search Appliance Vulnerability

US-CERT is aware of a publicly reported cross-site scripting (XSS) vulnerability in Google's search appliance. Cross-site scripting vulnerabilities may allow a remote, unauthenticated attacker to inject malicious script into a web page.

US-CERT encourages users to follow best-practice security policies as described in the Securing Your Web Browser document.

US-CERT will provide additional information as it becomes available.

Reports of Multiple Product PDF Rendering Vulnerability

US-CERT is aware of public reports of a vulnerability that may affect Adobe Acrobat, Adobe Acrobat Reader, and Foxit Reader. Few details are currently available, but it is claimed that an attacker may be able to execute arbitrary code or commands on an affected system by enticing a user to open a specially crafted PDF document.

Until a security fix becomes available, US-CERT recommends users take the following actions that may help mitigate the security risk:

• Do not open unsolicited or untrusted PDF files.
• Disable the displaying of PDF documents in the web browser as described in the "Solution" section of Vulnerability Note VU#815960.
• Utilize available PDF rendering services as policies permit.